Privacy Policy
Last Updated: January 1, 2023
This Privacy Policy applies to your use of any online services (e.g., websites, other electronic communications channels, and certain emails we send) operated by AllyGPO, LLC, its affiliates, and its business lines, including AllyRetina, AllyOncology, AllyNeurology, AllyRheumatology, AllyAnalytics, and AllyIQ (collectively, “AllyGPO”, “we”, “us”, “our”) regardless of how you access or use them, that post a link to this Privacy Policy (“Service”). BY ACCESSING, VISITING, OR OTHERWISE USING THE SERVICE, YOU AGREE TO THE SERVICE’S TERMS OF USE AND CONSENT TO ALLYGPO’S DATA COLLECTION, USE, AND DISCLOSURE PRACTICES, AND OTHER ACTIVITIES AS DESCRIBED IN THIS PRIVACY POLICY. If you do not agree and consent, please discontinue use of the Service. For certain aspects of the Service, there may be additional notices about information practices and choices. Please read those additional privacy disclosures to understand how they apply to you.
Your California Privacy Rights
California residents have certain privacy rights detailed in the California Privacy Notice section. To the extent that there is a conflict between this Privacy Policy and the California Privacy Notice, the California Privacy Notice will control.
1. WHAT INFORMATION DO WE COLLECT?
(a) Information That You Provide
AllyGPO and/or its Service Providers (defined below) may collect information you provide directly to AllyGPO and/or its Service Providers via the Service, such as when you log in to the Service, update your personal profile, place an order in our online stores, attend a training event, subscribe to email notifications or publications, respond to an online survey or submit a webform.
For example, you may be asked to enter your name, job title, birth date, age, email address, mailing address or phone number, and, if you are acting on behalf of your employer, the employer’s name. In limited circumstances, you may be asked to provide demographic information, such as your gender, age, zip code, and interests.
You may visit the Service without providing personal information; however, performing certain transactions on the Service may not be possible without providing such information.
(b) Information Collected Automatically
AllyGPO, its Service Providers, and/or Third-Party Services may also automatically collect certain information about you when you access or use the Service (“Usage Information”), which may include:
- the IP address of the computer you use to access the Service;
- the browser and internet domain used;
- the operating system used by your browser;
- the date and time of access to the Service;
- undeleted cookies;
- navigation information, including the source (e.g., website) from which you were referred, if any; and
- pages visited on the Service.
For more information on Third-Party Services’ data collection and practices visit the Third-Party Services, Advertising and Analytics section.
The methods that may be used on the Service to collect Usage Information include:
- Log Information:Log information is data about your use of the Service, such as IP address, browser type, Internet service provider, referring/exit pages, operating system, date/time stamps, and related data, and may be stored in log files.
- Information Collected by Cookies and Other Tracking Technologies: Cookies, web beacons (also known as “tracking pixels”), embedded scripts, location-identifying technologies, device recognition technologies, device and activity monitoring and other tracking technologies now and hereafter developed (“Tracking Technologies”) may be used to collect information about interactions with the Service, including information about your browsing and purchasing behavior.
Some information about your use of the Service and certain other online services may be collected using Tracking Technologies across time and services and used by AllyGPO and third parties for purposes such as to deliver relevant ads and/or other content to you on the Service and certain other online services. See Choices: Tracking and Communication Options section regarding certain choices regarding these activities.
AllyGPO is giving you notice of the Tracking Technologies and your choices regarding them explained in the Choices: Tracking and Communication Options section so that your consent to encountering them is meaningfully informed.
(c) Information AllyGPO Collects From Other Sources
AllyGPO may also obtain information about you from other sources, including Service Providers and Third-Party Services, and publicly available sources, and combine that with the information collected on the Service. If we combine such third-party sourced data with data collected on the Service, we will treat it as described under this Privacy Policy.
Please note, the definition of “personal information” under certain laws differs from the definition of personal information used in this Privacy Policy.
2. HOW WE USE YOUR INFORMATION
AllyGPO may also use any of your information in one or more of the following ways, or as otherwise permitted or required by law:
- To personalize your experience. Your information helps us to better respond to your individual needs.
- To improve the Service. We continually strive to improve the Service offerings based on the information and feedback we receive from you.
- To respond to questions and concerns, and to improve customer service. Your information helps us to more effectively respond to your customer service requests and support needs.
- To process transactions and conduct general business activities. For example, your information may be shared with third-party service providers who use it to perform functions on our behalf. These companies or individuals may perform services such as processing orders; sending mail, email, or text messages; or providing marketing or database marketing services, search engine optimization analysis or call center services, among others.
- To administer a contest, promotion, survey, or other Service feature.
- To send periodic emails. We may use email addresses you provide to send you information and updates pertaining to our products and services that you use, in addition to sending occasional company news, updates, or related product or service information, etc. If you wish to opt-out of promotional emails, please email us at privacyofficer@AllyGPO.com or follow the instructions in promotional emails that you receive from us to unsubscribe.
- To improve our Service or to otherwise identify new or modified needs that can be fulfilled by our organization.
- Prevent and address fraud, breach of policies or terms, threats and/or harm.
- To comply with law, for regulatory purposes, or for accreditation or compliance purposes.
- To manage your account (if we provide that functionality) and to complete an order in our online stores. For example, an email address is required for confirmation and delivery of your order.
3. HOW WE SHARE INFORMATION
Generally, we provide personal information to third-party Service Providers only when those entities are providing services for us, and where they agree to comply with our privacy policy or otherwise process your information only on our behalf.
AllyGPO may share any information about you for any purposes not inconsistent with this Privacy Policy, or our written statements at the point of collection, and otherwise not prohibited by applicable law, including, without limitation:
- With our AllyGPO’s agents, vendors, consultants, and other service providers (collectively “Service Providers”) may receive, or be given access to, your information in connection with their work on AllyGPO’s behalf.
- To comply with the law, law enforcement or other legal process, and, where permitted, in response to a government request; and
- If AllyGPO believes your actions are inconsistent with AllyGPO’s terms of use, user agreements, applicable terms or policies, or to protect the rights, property, life, health, security and safety of AllyGPO, the Service or its users, or any third party.
In addition, we may share your information as follows:
- Marketing: Subject to your communications choices explained in the Choices: Tracking and Communication Options section, we may use your personal information to send you marketing communications. Absent your consent (which may be by means of opt-in, your election not to opt-out, or a third party interaction described in the next bullet point), however, AllyGPO will not share your information with third parties, for their own direct marketing purposes.
- Your Disclosure or Consent: As more fully described in the Information You Disclose to Others and the Analytics and Advertising Tracking Technologies sections, your activities on the Service may, by their nature, result in the sharing of your information with third parties and by engaging in these activities you consent to that and further sharing and disclosure to third parties. Such third-party data receipt and collection is subject to the privacy and business practices of that third party, not AllyGPO.
Your information may be included in aggregated and anonymized data that AllyGPO discloses to third parties for business operations purposes and in support of our mission. In addition, AllyGPO may share your information in connection with or during negotiations of any proposed or actual financing of our business, or merger, purchase, sale, joint venture, or any other type of acquisition or business combination of all or any portion of AllyGPO assets, or transfer of all or a portion of AllyGPO’s business to another company, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding (“Corporate Transactions”).
4. INFORMATION YOU DISCLOSE TO OTHERS
The Service may permit you to post or submit user-generated content (“UGC”) including, without limitation, written content, user profiles, audio or visual recordings, computer graphics, pictures, data, or other content, including personal information. If you choose to submit UGC to any public area of the Service, to the extent public areas are made available to you, your UGC will be considered “public” and will be accessible by anyone, including AllyGPO. Notwithstanding anything to the contrary, unless otherwise explicitly agreed by AllyGPO, personal information included in UGC is not subject to our usage or sharing limitations, or other obligations, and may be used and shared by us and third parties to the fullest extent not prohibited by applicable law. We encourage you to exercise caution when making decisions about what you disclose in such public areas.
5. THIRD-PARTY SERVICES, ADVERTISING AND ANALYTICS
The Service may include or link to third-party websites, apps, locations, platforms, code (e.g., plug-ins, application programming interfaces (“API”)) or other services (“Third-Party Service(s)”). These Third-Party Services may use their own cookies, web beacons, and other Tracking Technology to independently collect information about you and may solicit Personally Identifiable Information from you.
Certain functionalities on the Service permit interactions that you initiate between the Service and certain Third-Party Services, such as third party social networks (“Social Features”). Examples of Social Features include: enabling you to send content such as contacts and photos between the Service and a Third-Party Service; “liking” or “sharing” AllyGPO’s content; logging in to the Service using your Third-Party Service account (e.g., using Facebook Connect to sign-in to the Service); and to otherwise connect the Service to a Third-Party Service (e.g., to pull or push information to or from the Service). If you use Social Features, and potentially other Third-Party Services, information you post or provide access to may be publicly displayed on the Service (see Information You Disclose to Others section) or by the Third-Party Service that you use. Similarly, if you post information on a Third-Party Service that references the Service (e.g., by using a hashtag associated with AllyGPO in a tweet or status update), your post may be used on or in connection with the Service or otherwise by AllyGPO. Also, both AllyGPO and the third party may have access to certain information about you and your use of the Service and any Third-Party Service.
AllyGPO may engage and work with Service Providers and other third parties to serve advertisements on the Service and/or on other online services. Some of these ads may be tailored to your interest based on your browsing of the Service and elsewhere on the Internet, which may include use of precise location and/or Cross-device Data, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”), which may include sending you an ad on another online service after you have left the Service (i.e., “retargeting”). We may use Microsoft and Google for advertising services. See Choices: Tracking and Communications Options section for more information on your choices regarding certain personalized advertising.
AllyGPO uses Google Analytics for analytics services. These analytics services may use cookies and other Tracking Technologies to help AllyGPO analyze Service users and how they use the Service. Information generated by these analytics services (e.g., your IP address and other Usage Information) may be transmitted to and stored by these Service Providers on servers in the U.S. (or elsewhere) and these Service Providers may use this information for purposes such as evaluating your use of the Service, compiling statistic reports on the Service’s activity, and providing other services relating to Service activity and other Internet usage. See the Choices: Tracking and Communications Options section for more information on your choices regarding these services.
AllyGPO is not responsible for, and makes no representations regarding, the policies or business practices of any third parties, including, without limitation, analytics Service Providers and Third-Party Services associated with the Service, and encourages you to familiarize yourself with and consult their privacy policies and terms of use. See Choices: Tracking and Communications Options section for more on certain choices offered by some third parties regarding their data collection and use, including regarding Interest-based Advertising and analytics.
6. DATA SECURITY AND RETENTION
AllyGPO takes reasonable measures described below to protect you from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. Nevertheless, transmission via the Internet and online digital storage are not completely secure and AllyGPO does not guarantee the security of your information collected through the Service.
By way of example, we implement a variety of security measures to maintain the safety of your personal information. We use a secure server for payment transactions. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. Sensitive data is also encrypted in the payment gateway provider’s database, which is accessible only by those with authority who are performing authorized functions. You can help protect your information, by protecting and not sharing your username and password.
We also limit the data that we retain to the data needed for the purpose, and we only store your information for a reasonable time, based on the type of information and its use. General information includes information such as username and passwords, and general business transaction information. Payment information is not considered general business transaction information and is addressed in the next paragraph. AllyGPO has a document management policy that governs retention of information. Retention is based on legal and business needs.
Furthermore, after a payment transaction, your private information, such as credit card numbers and purchase order numbers, will not be stored on our servers any longer than it is necessary to complete the transaction.
7. DATA TRANSFERS
AllyGPO is based in the U.S. and the Service is intended for a U.S. audience. The information AllyGPO and its Service Providers collect is governed by U.S. law. If you are accessing the Service from outside of the U.S., please be aware that information collected through the Service may be transferred to, processed, stored, and used in the U.S. Data protection laws in the U.S. may be different from those of your country of residence. Your use of the Service or provision of any information therefore constitutes your consent to the transfer to and from, processing, usage, sharing, and storage of your information, including personal information, in the U.S. as set forth in this Privacy Policy.
8. ACCESSING AND CHANGING INFORMATION
To the extent required by applicable law, AllyGPO may provide mechanisms allowing you to delete, correct, or update some of the information about you. Please contact us at the information below if you have any questions regarding how to access or change your information. AllyGPO will make good faith efforts to make requested changes in AllyGPO’s then-active databases as soon as practicable, but it is not always possible to completely change, remove or delete all of your information or public postings from AllyGPO’s databases and residual and/or cached data may remain archived thereafter. Further, we reserve the right to retain data (a) as required by applicable law; and (b) for so long as reasonably necessary to fulfill the purposes for which the data is retained except to the extent prohibited by applicable law.
9. CHOICES: TRACKING AND COMMUNICATIONS OPTIONS
(a) Tracking Technologies Generally
Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options, so you may need to set them separately. Please be aware that if you disable or remove these technologies, some parts of the Service may not work and that when you revisit the Service your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations.
Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no consensus among industry participants as to what “Do Not Track” means in this context. Like many online services, AllyGPO currently does not alter AllyGPO’s practices when AllyGPO receives a “Do Not Track” signal from a visitor’s browser. To find out more about “Do Not Track,” you can visit https://allaboutdnt.com, but AllyGPO is not responsible for the completeness or accuracy of this third party information. Some third parties, however, may offer you choices regarding their Tracking Technologies. One way to potentially identify cookies on our web site is to add the free Ghostery plug-in to your browser (https://www.ghostery.com), which according to Ghostery will display for you traditional, browser-based cookies associated with the web sites (but not mobile apps) you visit and privacy and opt-out policies and options of the parties operating those cookies. AllyGPO is not responsible for the completeness or accuracy of this tool or third-party choice notices or mechanisms. For specific information on some of the choice options offered by third party analytics and advertising providers, see the next section. We may, from time-to-time, and in certain jurisdictions, offer or point you to tools that allow you to exercise certain preferences regarding cookies and other Tracking Technologies associated with the Services, but such tools rely on third parties and third party information so we do not guarantee that the tools will provide complete and accurate information or be completely effective. For instance, here is where you can find cookie controls for popular browsers:
We do not represent that these third-party tools, programs or statements are complete or accurate. You will need to do this on each browser that you use to access our Services, and clearing cookies on your browser(s) may disable your preference settings. Also, our Services may not function properly or as intended if you block all or even certain cookies. Accordingly, you may want to consider the more limited opt-out choices noted in the next section.
(b) Analytics and Advertising Tracking Technologies
You may exercise choices regarding the use of cookies from Google Analytics by going to https://support.google.com/analytics/answer/6004245 or downloading the Google Analytics Opt-out Browser Add-on.
You may choose whether to receive some Interest-based Advertising by submitting opt-outs. Some of the advertisers and Service Providers that perform advertising-related services for us and third parties may participate in the Digital Advertising Alliance’s (“DAA”) Self-Regulatory Program for Online Behavioral Advertising. To learn more about how you can exercise certain choices regarding Interest-based Advertising, including use of Cross-device Data for serving ads, visit https://youradchoices.com, and https://optout.aboutads.info for information on the DAA’s opt-out program specifically for mobile apps (including use of precise location for third party ads). Some of these companies may also be members of the Network Advertising Initiative (“NAI”). To learn more about the NAI and your opt-out options for their members, see https://optout.networkadvertising.org. Please be aware that, even if you are able to opt out of certain kinds of Interest-based Advertising, you may continue to receive other types of ads. Opting out only means that those selected members should no longer deliver certain Interest-based Advertising to you but does not mean you will no longer receive any targeted content and/or ads (e.g., from other ad networks). Also, if your browsers are configured to reject cookies when you visit these opt-out webpages, or you subsequently erase your cookies, use a different device or web browser or use a non-browser-based method of access (e.g., mobile app), your NAI / DAA browser-based opt-out may not, or may no longer, be effective.
We may also use Google Ad Services. To learn more about the data Google collects and how your data is used by it and to opt out of certain Google browser Interest-Based Advertising, please visit here.
We cannot control how third-party websites handle do-not-track options. Please read the privacy policies of the third-party websites to understand their response to opt-out mechanisms. AllyGPO is not responsible for effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs.
(c) Mobile Apps
With respect to our mobile apps (“apps”), if we provide any, you can stop all collection of data generated by use of the app by uninstalling the app. Also, you may be able to exercise specific privacy choices, such as enabling or disabling certain features (e.g., tracking across apps and websites owned by other online services, location-based services, push notifications, accessing calendar/contacts/photos, etc.), by adjusting the permissions in your mobile device and/or the app’s settings.
(d) Communications
You can opt out of receiving certain promotional communications from us at any time by (i) for promotional emails, following the instructions provided in emails to click on the unsubscribe link, or if available by changing your communication preferences by logging onto your account; (ii) for text messages, following the instructions provided in text messages from us to text the word, “STOP”; and (iii) for app push notifications turn off push notifications on the settings of your device and/or the app, as applicable. Please note that your opt-out is limited to the e-mail address or phone number used and will not affect subsequent subscriptions. If you opt-out of only certain communications, other subscription communications may continue. Even if you opt out of receiving promotional communications, we may, subject to applicable law, continue to send you non-promotional communications, such as those about your account, transactions, servicing, or our ongoing business relations.
10. CALIFORNIA PRIVACY NOTICE
As a supplement to other information provided throughout this Privacy Policy, we provide the following additional information as a notice to residents of California (“Consumers”) in accordance with the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (“CCPA”). This California Privacy Notice covers our collection, use, disclosure, and sale of Consumers’ “personal information” (also referred to herein as “PI”) as defined by the CCPA.
This California Privacy Notice does not apply to data that is collected in a human resources (“HR”) context. For example, if you are a California resident and an employee or job applicant of AllyGPO, or if we have collected data from or about you otherwise in a HR context, please visit here if you are a California resident.
This California Privacy Notice is a supplement to our other privacy policies and notices, including the rest of the general Privacy Policy. In the event of a conflict between any other AllyGPO policy, statement, or notice and this California Privacy Notice, this California Privacy Notice will prevail as to Consumers and their rights under applicable California privacy law.
This California Privacy Notice is designed to provide you with notice of our recent, historical data practices over the prior 12 months (from the “Last Updated” listed at the top of this California Privacy Notice). This California Privacy Notice will be updated at least annually. This California Privacy Notice also applies to our current data practices, such that it is also meant to provide you with “Notice at Collection,” which is notice of personal information we collect online and offline, and the purposes for which we process personal information, among other things required by the CCPA. For any new or substantially different processing activities that are not described in this California Privacy Notice, we will notify you as required by California law, including by either notifying you at the time of collecting personal information, or by updating this California Privacy Notice earlier than required. We reserve the right to amend this California Privacy Notice at our discretion and at any time. When we make changes to this California Privacy Notice, we will post an updated version on the Service (as defined in the Privacy Policy) and update the “Last Updated” date above.
Section(a) of this California Privacy Notice covers our collection, use, and disclosure of Consumers’ personal information (referred to herein as “personal information” or “PI”) as defined under the CCPA.
Section(b) of this California Privacy Notice describes your rights under the CCPA and explains how to exercise those rights. Sections(c) and (d)include other information required by the CCPA or information that we believe is helpful to provide to you as part of this privacy policy.
(a) Our Collection, Use, and Disclosure of Personal Information
Generally, we collect, retain, use, and disclose your PI in order to provide you services and as otherwise related to the operation of our business, which include both business purposes and commercial purposes. Business purposes are purposes which are generally not tied to an opt-out right under the CCPA, such that they do not implicate Sale or Sharing as defined under the CCPA (see the Do Not Share/Sell section below. Business purposes include purposes such as:
- The purposes listed in the Privacy Policy above, including in the How We Use Your Information and How We Share Information sections.
- The specifically listed CCPA business purposes (below in italics).
- The purposes explained at the time of collection (such as in the applicable privacy policy or notice).
- Other purposes that are related to or compatible with the context in which we collected your PI, or that are required or permitted by the CCPA.
Our business purposes also include the disclosure of PI (which may include all of the categories of PI in the table below) to certain recipients, such as:
- Our vendors that perform services for us (including “Service Providers” defined under the CCPA, which we refer to as “Service Providers” herein), which include external auditors and professional advisors (“Vendors”).
- The Consumer or other parties at your direction or through your intentional action.
- The government or private parties to comply with law or legal process.
- Assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”).
- In addition, our Vendors and other recipients listed in the below table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your PI for business purposes. For example, our Vendors and the other categories listed in the table below may themselves engage Service Providers or subcontractors to enable them to perform services for us or process for our business purposes.
CCPA-Listed Business Purposes include:
- providing our products and services, including maintaining and servicing accounts, processing purchases and payments, verifying information, and responding to inquiries;
- marketing, analytics, and similar functions and services used to communicate with you about our products and services;
- detecting security incidents and protecting against malicious, deceptive, or illegal activity;
- troubleshooting our Service to identify and repair issues;
- internal research and development, including the improvement of our Service;
- quality and safety assurance, and improving, upgrading, and enhancing our products and services; and
- processing and managing interactions and transactions for our products and services.
Commercial purposes, on the other hand, are generally associated with an opt-out right under the CCPA; in particular, where they involve Sales or Sharing as defined under applicable California law. Examples include where Third-Party Digital Businesses (defined below) collect your PI via third-party cookies, and when we or such Third-Party Digital Businesses process PI for certain advertising purposes.
The table immediately below describes the categories of PI we collect, as well as examples of types of data that fit within such categories, in the left column. The right column states the categories of recipients that receive such PI as part of disclosures for business purposes, as well as disclosures which may be considered a Sale or Sharing under the CCPA.
Category of PI |
Category of Recipients |
1. Identifiers and Contact Information1 |
Disclosures for Business Purposes
Sale/Sharing: Third-Party Digital Businesses |
2. Personal Records2 |
Disclosures for Business Purposes
Sale/Sharing: None |
3. Personal Characteristics or Traits3 |
None Collected |
4. Customer Account Details / Commercial Information4 |
Disclosures for Business Purposes
Sale/Sharing: Third-Party Digital Businesses |
5. Biometric Information5 |
Not Collected |
6. Internet Usage Information6 |
Disclosures for Business Purposes
Sale/Sharing: Third-Party Digital Businesses |
7. Location Data |
None Collected |
8. Audiovisual and Similar Information7 |
Disclosures for Business Purposes
Sale/Sharing: N/A |
9. Professional or Employment Information (such as where you are employed and your title) |
Disclosures for Business Purposes
Sale/Sharing: N/A |
10. Non-Public Education Records |
None Collected |
11. Inferences From PI Collected8 |
Disclosures for Business Purposes
Sale/Sharing: Third-Party Digital Businesses |
1 Identifiers include real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, SSN, driver’s license number, passport number, or other similar identifiers. 2 Any personal information described in Cal. Civ. Code § 1798.80(e) – i.e., “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.” 3 characteristics of protected classifications under California or federal law, which include race, color, religion, sex/gender, gender identity/expression, sexual orientation, marital status, medical condition, military or veteran status, national origin, ancestry, disability, genetic information, request for family care leave, request for leave for employee own serious health condition, request for pregnancy disability leave, retaliation for reporting patient abuse in tax-supported institutions, and age (over 40). 4 Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. 5 An individual’s physiological, biological, or behavioral characteristics, including info pertaining to DNA used or is intended to be used singly or in combo with each other or with other identifying data, to establish individual identity. Includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying info. 6 Includes browsing history, search history, and info re a consumer’s interaction with an internet site, or advertisement. 7 Audio, electronic, visual, thermal, olfactory, or similar information. 8 Inferences drawn from any of the Information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
Sources of PI
As explained in the What Information Do We Collect section above, we collect PI from Consumers, their devices, Service Providers, and Third-Party Services (including third-party marketing vendors).
Data Retention
Because there are so many different types of PI in each category, and so many purposes and use cases for different data, we are unable to provide retention ranges based on categories of PI in a way that would be meaningful and transparent to you. Retention periods for each category of PI will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business and may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation. We apply the same criteria for determining if we have a legitimate purpose for retaining your PI that you ask us to delete. If you make a deletion request, we will conduct a review of your PI to confirm if legitimate ongoing retention purposes exist, will limit the retention period to such purposes for so long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your PI. For more information on deletion requests, see the Right to Deletion section.
(b) CCPA Consumer Rights
See immediately below for more information on the rights that Consumers have under the CCPA. Further below, we explain how you can exercise your rights and our verification procedures in the How to Submit a Privacy Rights Request section.
Right to Know/Access
You can make “right to know” (also known as “access”) requests, as described below, up to twice in a 12-month period.
Categories of Personal Information
You have the right to request that we share with you certain information about our collection, use and disclosure of your PI over the 12-month period prior to the request date. You can request that we disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI (i.e., if we have, in fact, sold PI); (4) the categories of third parties with whom we shared that PI; (5) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each, the categories of recipients, or that no disclosure occurred; and (6) a list of the categories of PI sold about you in the prior 12 months and, for each, the categories of recipients, or that no sale occurred.
Specific Pieces
You have the right to request a transportable copy of the specific pieces of personal information we collected about you in the 12-month period preceding your request. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we do not retain for even 12 months (and thus, it would not be able to be included in our response to you).
Right to Deletion
You have the right to request that we delete personal information that we collect or maintain. In response, we will delete, and instruct any applicable service providers to delete, your personal information from our records, unless an exception applies, which we will explain in relation to any deletion request that you make. As to information that we delete (i.e., that is not subject to a retention exception), we will either (i) permanently erase your PI on our existing systems with the exception of archived or back-up systems, (ii) de-identify your PI, or (iii) aggregate your PI with other information.
Right to Limit Sensitive PI Processing
Certain personal information qualifies as sensitive under the CCPA, which we refer to in this California Privacy Notice as “Sensitive PI.” The CCPA provides Consumers the right to direct businesses to limit their use and disclosure of Sensitive PI if we use or disclose it beyond certain internal business purposes. However, we do not believe we collect, use or disclose Sensitive PI beyond such internal business purposes.
Right to Correct
You have the right to request that we correct inaccuracies that you find in your personal information maintained by us. Your request to correct is subject to our verification (discussed above) and the response standards set forth in the CCPA.
Do Not Sell/Share
Under the CCPA, Consumers have the right to opt-out of certain targeted advertising activities – which the CCPA refers to as “cross-context behavioral advertising” – and which involves the use of PI from different businesses or services to target advertisements to you. The CCPA provides Consumers the right to opt-out of Sharing, which includes providing or making available PI to third parties for such targeted advertising activities. The CCPA also has opt-outs specific to the Sale of PI, which at a minimum requires providing or otherwise making PI available to a third party.
Third-Party digital businesses (“Third-Party Digital Businesses”) may associate with the Service various cookies and other tracking technologies (and others that may be developed at a later date) and collect certain PI whenever you visit or interact with the Service, or otherwise collect and process PI that we make available about you, including digital activity information. Giving access to PI on the Service, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Sharing. Therefore, we will treat such PI collected by Third-Party Digital Businesses (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) as such, and subject to the opt-out requests described above. In some instances, the PI we make available about you is collected directly by such Third-Party Digital Businesses using cookies and other tracking technologies on the Service or our advertisements that are served on third-party sites (which we refer to as “cookie PI”).
When you opt-out pursuant to the instructions below, it will have the effect of opting you out of Sale and Sharing, such that our opt-out process is intended to combine both activities into a single opt-out. Instructions for opting out are below.
Opt-Out for Cookie PI
If you would like to submit a request to opt-out of our processing of your cookie-related PI relating to the Sale or Sharing of Such data, you need to exercise a separate opt-out request on our cookie management tool using Do Not Sell or Share My Personal Information. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our cookie management tool. Beware that if you use ad blocking software, our cookie banner may not appear when you visit the Service and you may have to use the link to access the cookie management tool.
The CCPA also requires us to state that we do not knowingly Sell or Share the PI of Consumers under 16.
We may disclose your PI for the following purposes, which are not a Sale or Sharing: (i) if you direct us to share your PI; (ii) to comply with your requests under the CCPA; (iii) disclosures amongst the entities that constitute AllyGPO as defined above, to AllyGPO’s service providers, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.
Opt-Out Preference Signals (also known as Global Privacy Control or GPC)
The CCPA may require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale and Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. As of the “Last Updated” date at the top of the Privacy Policy, the CCPA’s regulations, which are supposed to set forth requirements as to OOPS/GPC, have not yet been finalized. We will process OOPS/GPC as required when the regulations are finalized. In the meantime, to our knowledge, we have configured the settings of our consent management platform to receive and process GPC signals on our websites, as explained by our consent management platform here.
Automated Decision-Making and Profiling
We may engage in processing that constitutes automated decision-making or profiling under the CCPA. However, as of the Last Updated date above, the definitions of these concepts, and any associated opt-out and access rights have not been added to the updated regulations of the CCPA.
Right to Non-Discrimination; Notice of Financial Incentive
We will not discriminate against you in a manner prohibited by the CCPA because you exercise your privacy rights. However, we may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data. In addition, we may offer you financial incentives for the collection, sale, retention, and use of your PI as permitted by the CCPA that can, without limitation, result in reasonably different prices, rates, or quality levels. The material aspects of any financial incentive will be explained and described in its program terms.
How to Submit a Privacy Rights Request
Submitting a Request
You may submit your request using the information in the Contact Us section or by emailing us at privacyofficer@AllyGPO.com or calling 1-866-255-9476. Only you, or someone you authorize to act on your behalf (e.g., your authorized agent), may make a request related to your PI.
Request Verification
In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the California consumer we may have collected PI about or a person who has been duly authorized to make the request on behalf of the consumer.
To verify your identity, we ask that you provide us with, at a minimum, your full name and email, and the nature in which you have transacted or interacted with us. We will review the information provided as part of your request and may ask you to provide additional information via e-mail or other means as part of this verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. The same verification process does not apply to opt-outs of Sale or sharing, or Limitation of Sensitive PI requests, but we may apply some verification measures if we suspect fraud. (Note that verification is technically not permitted for DNS/Share and limit sensitive PI requests.)
For a specific pieces request and a request to delete important data, we are required to verify a California consumer’s identity to a high degree of certainty, which may include matching at least three data points provided by the California consumer with data points maintained by us (and which we have determined to be reliable for the purpose of verifying the consumer), together with a signed declaration under penalty of perjury that the requestor is the consumer whose PI is the subject of the request. We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot verify you in respect to certain requests, such as if you do not provide the requested information, we will still take certain action as required by the CCPA. For example:
- If we cannot verify your deletion request, we will refer you to this privacy policy for a general description of our data practices.
- If we cannot verify your Specific Pieces request, we will treat it as a Categories request.
Agent Requests
You may use an authorized agent to make a request for you, subject to our verification of (i) the agent, (ii) the agent’s authority to submit requests on your behalf, and (iii) of you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of the CCPA.
Our Fulfillment of Requests
- We will not fulfill a CCPA privacy rights request unless we have been given sufficient information to reasonably verify that the requestor is the California consumer about whom we collected the personal information. Please follow any instructions provided and promptly respond to any follow-up inquiries so that we may confirm your identity.
- We will attempt to respond to California consumer requests as soon as possible. If we are unable to fulfill your request within 45 days, we will inform you of the reason and extension period of up to 45 days in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable receipt of a California consumer request. The response we provide will explain the reasons we cannot comply with a request, if applicable.
- We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before fulfilling your request.
- Some personal information we maintain about Consumers is not sufficiently associated with a Consumer for us to be able to verify that it is a particular California consumer’s personal information (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that personal information in response to Verifiable Consumer Requests. If we cannot comply with a request, we will explain the reasons in our response.
(c) Our Rights and the Rights of Others
We may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights and our obligations under the CCPA and as otherwise set forth in this privacy policy. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.
(d) Contact Us Regarding this California Privacy Notice
You can reach us at the information found in the Contact Us section below if you have any questions or comments about this.
11. COMPLIANCE WITH APPLICABLE LAWS AND LAW ENFORCEMENT
We intend that the Service will comply with all applicable laws at all times, and we may change the websites and the policies without notice (except as required by applicable laws), including if we believe that change is necessary for legal compliance purposes. We reserve the right to disclose at any time, without prior notice, any personal information when we believe disclosure is appropriate to comply with the law, to enforce website policies or to protect our or others’ rights, property, or safety. All users of the Service are required to use the Service in accordance with applicable law.
12. CHILDREN’S PRIVACY
We do not intentionally collect any information from anyone under 13 years of age. Our Service is directed to people who are at least 13 years old or older. If a parent finds that information of a child under 13 years of age has been provided to the Service, please notify us at privacyofficer@AllyGPO.com so that we can delete that information.
13. CHANGES TO THIS PRIVACY POLICY
We reserve the right to change this Privacy Policy prospectively effective upon the posting of the revised Privacy Policy and your use of our Service indicates your consent to the privacy policy posted at the time of use. However, we will not treat your previously collected personal information, to the extent it is not collected under the new privacy policy, in a manner materially different than represented at the time it was collected without your consent.
14. CONTACT US
If there are any questions regarding this Privacy Policy, or if you believe that we hold information about you that is incorrect, you may contact us at the following mailing address or email address:
AllyGPO, LLC.
Attn: Privacy Officer
5 Cowboys Way, Suite 300
Frisco, TX 75034
1-866-255-9476